-
Notifications
You must be signed in to change notification settings - Fork 1
202 lines (197 loc) · 11.5 KB
/
gt-update.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
#
# __ __
# / /____ ___ ____ ___ ___ _/ / This script is provided to you by https://github.com/tegonal/gt
# / __/ -_) _ `/ _ \/ _ \/ _ `/ / Copyright 2022 Tegonal Genossenschaft <[email protected]>
# \__/\__/\_, /\___/_//_/\_,_/_/ It is licensed under European Union Public License v. 1.2
# /___/ Please report bugs and contribute back your improvements
#
# Version: v1.1.0-SNAPSHOT
###################################
name: "gt update"
on:
schedule:
- cron: '0 4 * * MON'
workflow_dispatch:
jobs:
determine_remotes:
name: Determine Remotes
runs-on: ubuntu-latest
if: github.repository_owner == 'tegonal'
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- name: Import gpg key(s) defined in vars.PUBLIC_GPG_KEYS_WE_TRUST and secrets.PUBLIC_GPG_KEYS_WE_TRUST
run: |
gpg --import - <<< "${{ vars.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
|| (echo "could not import GPG keys via vars.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
false || gpg --import - <<< "${{ secrets.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
|| (echo "could not import GPG keys via secrets.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
false || "${success:-false}" && echo "was able to import GPGs either via vars or secrets (or via both -- see above)"
- name: Install gt
run: |
set -e
# see install.doc.sh in https://github.com/tegonal/gt, MODIFY THERE NOT HERE (please report bugs)
currentDir=$(pwd) && \
tmpDir=$(mktemp -d -t gt-download-install-XXXXXXXXXX) && cd "$tmpDir" && \
wget "https://raw.githubusercontent.com/tegonal/gt/main/.gt/signing-key.public.asc" && \
wget "https://raw.githubusercontent.com/tegonal/gt/main/.gt/signing-key.public.asc.sig" && \
gpg --verify ./signing-key.public.asc.sig ./signing-key.public.asc && \
echo "public key trusted" && \
mkdir ./gpg && \
gpg --homedir ./gpg --import ./signing-key.public.asc && \
wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.4/install.sh" && \
wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.4/install.sh.sig" && \
gpg --homedir ./gpg --verify ./install.sh.sig ./install.sh && \
chmod +x ./install.sh && \
echo "verification successful" || (printf >&2 "\033[0;31mERROR\033[0m: verification failed, don't continue !!\n"; exit 1) && \
./install.sh && result=true || (echo >&2 "installation failed"; exit 1) && \
false || cd "$currentDir" && rm -r "$tmpDir" && "${result:-false}"
# end install.doc.sh
- uses: actions/checkout@v4
- id: set-matrix
run: |
(readarray -t REMOTES; IFS=','; echo "matrix={ 'remote': [ ${REMOTES[*]} ] }" >> "$GITHUB_OUTPUT") < <( gt remote list | sed -E "s/(.*)/'\1'/")
Update:
needs: determine_remotes
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.determine_remotes.outputs.matrix) }}
name: 'Update ${{ matrix.remote }}'
steps:
- name: Import gpg key(s) defined in vars.PUBLIC_GPG_KEYS_WE_TRUST and secrets.PUBLIC_GPG_KEYS_WE_TRUST
run: |
gpg --import - <<< "${{ vars.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
|| (echo "could not import GPG keys via vars.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
false || gpg --import - <<< "${{ secrets.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
|| (echo "could not import GPG keys via secrets.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
false || "${success:-false}" && echo "was able to import GPGs either via vars or secrets (or via both -- see above)"
- name: Install gt
run: |
set -e
# see install.doc.sh in https://github.com/tegonal/gt, MODIFY THERE NOT HERE (please report bugs)
currentDir=$(pwd) && \
tmpDir=$(mktemp -d -t gt-download-install-XXXXXXXXXX) && cd "$tmpDir" && \
wget "https://raw.githubusercontent.com/tegonal/gt/main/.gt/signing-key.public.asc" && \
wget "https://raw.githubusercontent.com/tegonal/gt/main/.gt/signing-key.public.asc.sig" && \
gpg --verify ./signing-key.public.asc.sig ./signing-key.public.asc && \
echo "public key trusted" && \
mkdir ./gpg && \
gpg --homedir ./gpg --import ./signing-key.public.asc && \
wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.4/install.sh" && \
wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.4/install.sh.sig" && \
gpg --homedir ./gpg --verify ./install.sh.sig ./install.sh && \
chmod +x ./install.sh && \
echo "verification successful" || (printf >&2 "\033[0;31mERROR\033[0m: verification failed, don't continue !!\n"; exit 1) && \
./install.sh && result=true || (echo >&2 "installation failed"; exit 1) && \
false || cd "$currentDir" && rm -r "$tmpDir" && "${result:-false}"
# end install.doc.sh
- uses: actions/checkout@v4
- name: reset gpg keys
run: gt reset --gpg-only true -r "${{ matrix.remote }}"
- name: gt update
id: gt_update
run: |
set -euo pipefail
gt update -r "${{ matrix.remote }}"
gt update -r "${{ matrix.remote }}"
echo "remote_version=$(git --git-dir='.gt/remotes/${{ matrix.remote}}/repo/.git' tag | sort --version-sort | tail -n 1)" >> $GITHUB_OUTPUT
- id: has_changes
name: git status
run: |
set -euo pipefail
git status
gitStatus=$(git status --porcelain)
(if [[ $gitStatus != "" ]]; then echo "has_changes=1"; else echo "has_changes=0"; fi) >> $GITHUB_OUTPUT
- name: git commit
if: ${{ steps.has_changes.outputs.has_changes == 1 }}
run: |
set -euo pipefail
git config --local user.name 'tegonal-bot'
git config --local user.email '[email protected]'
git commit -am 'update files of remote ${{ matrix.remote }} to version ${{steps.gt_update.outputs.remote_version}} via gt' || true
- name: cleanup-on-push-to-main
if: ${{ steps.has_changes.outputs.has_changes == 1 && hashFiles('./scripts/cleanup-on-push-to-main.sh') != '' }}
run: |
(
./scripts/cleanup-on-push-to-main.sh || (printf '\033[0;31mERROR\033[0m: during cleanup, see error above\n' && false) &&
(git commit -am 'cleanup after gt pull for remote ${{ matrix.remote }} and version ${{steps.gt_update.outputs.remote_version}}' || (printf '\033[0;31mERROR\033[0m: during commit, maybe no changes due to cleanup (which would be fine)?, see above\n'; false ))
) || (printf '\033[0;34mINFO\033[0m: going to reset changes back to the status after `gt update` and continue without cleanup\n' && git reset --hard)
- name: Create pull request if necessary
if: ${{ steps.has_changes.outputs.has_changes == 1 }}
uses: peter-evans/create-pull-request@v7
with:
branch: 'gt/update/${{ matrix.remote }}'
base: main
title: 'update files of remote ${{ matrix.remote }} to version ${{steps.gt_update.outputs.remote_version}} via gt'
commit-message: 'update files of remote ${{ matrix.remote }} to version ${{steps.gt_update.outputs.remote_version}} via gt'
body: "following the changes after running `gt update -r \"${{ matrix.remote }}\"` and reset gpg keys"
delete-branch: true
token: ${{ secrets.AUTO_PR_TOKEN }}
push-to-fork: ${{ vars.AUTO_PR_FORK_NAME != '' && vars.AUTO_PR_FORK_NAME || secrets.AUTO_PR_FORK_NAME }}
signing_key:
name: "Check signing-key"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: check if signing key already are or will expire within the next 3 months
run: |
set -euo pipefail
currentDir="$(pwd)"
signingKey=".gt/signing-key.public.asc"
if [[ -f "$currentDir/$signingKey" ]]; then
tmpDir=$(mktemp -d -t gt-check-gpg-XXXXXXXXXX)
gpg --homedir "$tmpDir" --import "$currentDir/$signingKey"
limitTimestamp=$(date -d "+3 month" +%s)
limitDate=$(date -d "@$limitTimestamp" +"%Y-%m-%dT%H:%M:%S")
echo "checking if the following public keys defined in $signingKey are valid until $limitDate"
gpg --homedir "$tmpDir" --list-keys \
--list-options show-sig-expire,show-unusable-subkeys,show-unusable-uids,show-usage,show-user-notations \
--keyid-format LONG
echo ""
expired=0
while read -r key; do
keyId=$(cut -d ':' -f5 <<<"$key")
expirationTimestamp=$(cut -d ':' -f7 <<<"$key")
if (( expirationTimestamp < $limitTimestamp )); then
expirationDate=$(date -d "@$((expirationTimestamp + 0))" +"%Y-%m-%dT%H:%M:%S")
printf >&2 "\033[0;31mERROR\033[0m: expiration date (%s) of key %s is before the given limit %s\n" "$expirationDate" "$keyId" "$limitDate"
((++expired))
fi
done < <(gpg --homedir "$tmpDir" --list-keys --list-options show-unusable-subkeys --with-colons | grep -E '^(pub|sub)')
[[ $expired -eq 0 ]]
else
echo "$signingKey does not exist in this repo, nothing to check"
fi
trusted_keys:
name: "Check trusted-key(s)"
runs-on: ubuntu-latest
steps:
- name: Import gpg key(s) defined in vars.PUBLIC_GPG_KEYS_WE_TRUST and secrets.PUBLIC_GPG_KEYS_WE_TRUST
run: |
gpg --import - <<< "${{ vars.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
|| (echo "could not import GPG keys via vars.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
false || gpg --import - <<< "${{ secrets.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
|| (echo "could not import GPG keys via secrets.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
false || "${success:-false}" && echo "was able to import GPGs either via vars or secrets (or via both -- see above)"
- name: check if gpg key(s) we trust already are or will expire within the next 3 months
run: |
set -euo pipefail
limitTimestamp=$(date -d "+3 month" +%s)
limitDate=$(date -d "@$limitTimestamp" +"%Y-%m-%dT%H:%M:%S")
echo "checking if the following public keys defined in PUBLIC_GPG_KEYS_WE_TRUST are valid until $limitDate"
gpg --list-keys \
--list-options show-sig-expire,show-unusable-subkeys,show-unusable-uids,show-usage,show-user-notations \
--keyid-format LONG
echo ""
expired=0
while read -r key; do
keyId=$(cut -d ':' -f5 <<<"$key")
expirationTimestamp=$(cut -d ':' -f7 <<<"$key")
if (( expirationTimestamp < $limitTimestamp )); then
expirationDate=$(date -d "@$((expirationTimestamp + 0))" +"%Y-%m-%dT%H:%M:%S")
printf >&2 "\033[0;31mERROR\033[0m: expiration date (%s) of key %s is before the given limit %s\n" "$expirationDate" "$keyId" "$limitDate"
((++expired))
fi
done < <(gpg --list-keys --list-options show-unusable-subkeys --with-colons | grep -E '^(pub|sub)')
[[ $expired -eq 0 ]]